the server was working fine localy because json key but on the gc run unexpectedly gave me this error
i tried to add "Service Account Token Creator" role enter image description here but still no work added this role to more places but no luck !
For your problem, the Cloud Run service is not using the service account that you think it is.
Execute the following CLI command:
gcloud run services describe <CLOUD_RUN_SERVICE_NAME>
Find the entry for Service account in the output. That is the service account assigned to the service.
To sign data, the service account must have the permission iam.serviceAccounts.signBlob. The recommended IAM role is Service Account Token Creator.
To add that role execute the following command:
gcloud projects add-iam-binding <PROJECT_ID> \
--member=serviceAccount:<SERVICE_ACCOUNT_EMAIL_ADDRESS> \
--role=roles/iam.serviceAccountTokenCreator
To list the service account's Project IAM bindings:
gcloud projects get-iam-policy <PROJECT_ID> \
--flatten="bindings[].members" \
--format="table(bindings.role)" \
--filter="bindings.members:<SERVICE_ACCOUNT_EMAIL_ADDRESS>"
If you want tighter security, you can assign the IAM role to the service account itself so that the service account can only sign data using its own service account and not using another service account:
gcloud iam service-accounts add-iam-policy-binding <SERVICE_ACCOUNT_EMAIL_ADDRESS> \
--member=<SERVICE_ACCOUNT_EMAIL_ADDRESS> \
--role=roles/iam.serviceAccountTokenCreator
Notice that this command assigns the permission to itself. The service account email address is specified twice. The first time as the resource. The second time as a member.